US20230056018A1 - Anamoly detection system for peripheral component interconnect express - Google Patents

Anamoly detection system for peripheral component interconnect express Download PDF

Info

Publication number
US20230056018A1
US20230056018A1 US17/408,942 US202117408942A US2023056018A1 US 20230056018 A1 US20230056018 A1 US 20230056018A1 US 202117408942 A US202117408942 A US 202117408942A US 2023056018 A1 US2023056018 A1 US 2023056018A1
Authority
US
United States
Prior art keywords
trigger
event
controller
traffic anomaly
event counter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US17/408,942
Inventor
Lin Li
Varun Kumar
Harald Zweck
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Infineon Technologies AG
Original Assignee
Infineon Technologies AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Infineon Technologies AG filed Critical Infineon Technologies AG
Priority to US17/408,942 priority Critical patent/US20230056018A1/en
Assigned to INFINEON TECHNOLOGIES AG reassignment INFINEON TECHNOLOGIES AG ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ZWECK, HARALD, KUMAR, VARUN, LI, LIN
Publication of US20230056018A1 publication Critical patent/US20230056018A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/38Information transfer, e.g. on bus
    • G06F13/42Bus transfer protocol, e.g. handshake; Synchronisation
    • G06F13/4204Bus transfer protocol, e.g. handshake; Synchronisation on a parallel bus
    • G06F13/4221Bus transfer protocol, e.g. handshake; Synchronisation on a parallel bus being an input/output bus, e.g. ISA bus, EISA bus, PCI bus, SCSI bus
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2213/00Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F2213/0026PCI express

Definitions

  • PCIe Peripheral Component Interconnect express
  • PCIe Peripheral Component Interconnect express
  • many devices may be connected to a host (root complex) via a switch.
  • the security of PCIe topology becomes a concern as many devices from different vendors, along with independent applications using PCIe, are integrated into a single system. In such integrated systems it is important to provide security between connected devices and software applications using these devices.
  • FIG. 1 illustrates a schematic diagram of an example automotive Electronic Control Unit (ECU) in which aspects of the disclosure may be applied.
  • ECU Electronic Control Unit
  • FIG. 2 illustrates a schematic diagram of a traffic anomaly detector of a Peripheral Component Interconnect express (PCIe) controller in accordance with aspects of the disclosure.
  • PCIe Peripheral Component Interconnect express
  • FIG. 3 illustrates an example of a memory write Transaction Layer Packet (TLP).
  • TLP Transaction Layer Packet
  • FIG. 4 illustrates a flowchart of a method of detecting a traffic anomaly in a PCIe network in accordance with aspects of the disclosure.
  • the present disclosure is directed to detecting traffic properties and creating corresponding metadata for evaluation by software. Thereafter, a host may respond in order maintain Peripheral Component Interconnect express (PCIe) network security.
  • PCIe Peripheral Component Interconnect express
  • FIG. 1 illustrates a schematic diagram of an example automotive Electronic Control Unit (ECU) 100 in which aspects of the disclosure may be applied.
  • ECU Electronic Control Unit
  • the ECU 100 includes two microcontrollers 110 , 120 coupled together via printed circuit board (PCB) traces 130 .
  • Each microcontroller 110 , 120 includes a microcontroller core 112 , 122 , Ethernet media access controllers (MACs) 112 , 124 , other interfaces 114 . 3 , 124 . 3 , and PCIe controllers 116 , 126 .
  • Each of the PCIe controllers 116 , 126 includes a physical layer (PHY) coupled to the PCB traces 130 .
  • Ethernet MACs 112 , 124 and PCIe controllers 116 , 126 differ in that Ethernet MACs provide streams to its data whereas PCIe controllers 116 , 126 access internal resources directly. It is therefore important that PCIe controllers 116 , 126 continuously monitor traffic to protect against cyberattacks, a feature missing from the PCIe specification.
  • FIG. 2 illustrates a schematic diagram of a traffic anomaly detector 200 of a Peripheral Component Interconnect express (PCIe) controller in accordance with aspects of the disclosure.
  • PCIe Peripheral Component Interconnect express
  • the traffic anomaly detector 200 comprises one or more filters 210 , a classifier 220 , one or more event counters 230 , a push controller 240 , one or more read counters 250 , a reset controller 260 , and a trigger controller 270 .
  • TLPs Inbound transaction layer packets
  • PCIe controller 116 , 126 which is shown in FIG. 1 .
  • the TLPs are monitored by the one or more filters 210 implemented to count TLPs that fulfill predefined filter criteria.
  • the filters 210 are configured to apply the respective filter criterion to fields within the TLP headers. At least one of the filters 210 may be configured to filter a type field or a format field such that only memory TLPs result in a trigger.
  • the respective filter criterion may be selected from the group of fields consisting of type, address, length, and format. For example, a memory write packet (Fmt field) with (i.e., logical AND) an address range from 0x0 to 0xFFFF (Address field).
  • the filters 210 may filter TLPs with a specific requester (i.e., requester ID).
  • the classifier 220 is configured to trigger an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria. For example, a filter 210 may count the inbound TLPs that are memory write TLPs and with addresses from 0x0000_0000 to 0x0000_FFFF. One filter 210 may check the format (Fmt) and the type fields. Another filter 210 may check the address field. Only when both filter criteria are fulfilled, the connected event counter 230 is incremented. The event counters 230 are configured to count a number of the events.
  • a processor is configured to detect, based on a value of the event counter 230 , an anomaly in the PCIe TLP traffic. If a traffic anomaly is detected, the processor may be further configured to initiate a countermeasure.
  • the trigger controller 270 is configured to read the values of the event counters 230 .
  • the trigger controller 270 may notify a monitor when the value of one or more of the event counters 230 exceeds a respective threshold TH.
  • the trigger controller 270 comprises a timer 272 , and is further configured to notify a monitor of the value of the event counter periodically.
  • the trigger controller 270 is optionally configured to trigger the push controller 240 to push values of the plurality of event counters 230 from the plurality of event counters 230 to the respective plurality of read counters 250 simultaneously so that the read counters 250 store a snapshot of all event counters 230 .
  • the trigger controller 270 may be configured to trigger the push controller 240 to push values from the one or more event counters 230 to the respective of read counters 250 selectively. This push mechanism allows values to be saved in the read counters 250 while the event counters 230 continue to monitor the inbound TLPs.
  • Application software can read the values from the read counters 250 while the event counters 230 continue counting.
  • This push triggering may be based on time, software control, and/or when the value of the event counters 230 exceeds respective thresholds TH.
  • the push may be activated when there are more than 1,000 memory write TLPs with addresses ranging from 0x0000 0000 to 0x0000_FFFF.
  • the trigger controller 270 is further configured to trigger the reset controller 260 to reset the event counters 230 .
  • the trigger of the reset is similar to that of the push. These resets may occur simultaneously, or alternatively, selectively.
  • the trigger controller 270 may be configured to trigger the reset controller 260 to reset the event counters 230 based on time, software control, or if the value of the event counter exceeds a threshold TH. It is possible to use the same criteria as used to push the values to the read counters 250 to reset the event counters 230 .
  • the push and reset action criteria are generally defined by software running on the microcontroller 110 , 120 . The triggering of the push and reset actions is performed by hardware.
  • FIG. 3 illustrates an example of a memory write TLP 300 .
  • the header is comprised of three 32-bit words 0 - 2 . Each word has four bytes (8 bits).
  • the first three words 0 - 2 include the header fields, and the fourth word 3 includes the data.
  • the header may include fields such as format, TLP packet type, traffic class information, attributes, TLP digest, end point, data length, request identification, tag, and the like. The disclosure is not necessarily limited by the particular header fields.
  • FIG. 4 illustrates a flowchart 400 of a method of detecting a traffic anomaly in a PCIe network in accordance with aspects of the disclosure.
  • filters 210 filter headers of PCIe TLPs based on respective filter criterion.
  • a classifier 220 triggers an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria.
  • an event counter 230 counts a number of the events triggered by the classifier 220 .
  • a processor detects, based on a value of the event counter 230 , an anomaly in the PCIe TLP traffic. Based on the detected traffic anomaly, the processor may initiate a countermeasure. This countermeasure may include blocking some TLPs.
  • a traffic anomaly detector of a Peripheral Component Interconnect express (PCIe) system comprising: filters configured to filter headers of PCIe transaction layer packets (TLPs) based on respective filter criterion; a classifier configured to trigger an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria; an event counter configured to count a number of the events; and a processor configured to detect, based on a value of the event counter, an anomaly in the PCIe TLP traffic.
  • PCIe Peripheral Component Interconnect express
  • Example 2 The traffic anomaly detector of Example 1, further comprising: a read counter; a push controller; and a trigger controller configured to trigger the push controller to push the value of the event counter from the event counter to the read counter.
  • Example 3 The traffic anomaly detector of Example 2, wherein the trigger controller is configured to trigger the push controller to push the value of the event counter from the event counter to the read counter based on time, software control, and/or when the value of the event counter exceeds a threshold.
  • Example 4 The traffic anomaly detector of Example 1, wherein the classifier is configured to trigger the event based a logical combination the plurality of filter criteria.
  • Example 5 The traffic anomaly detector of Example 1, wherein the classifier is configured to trigger a plurality of events, each of the events based on one of the filter criterion or a logical combination of a plurality of the filter criteria.
  • Example 6 The traffic anomaly detector of Example 5, further comprising: a plurality of event counters corresponding with the plurality of events; a plurality of read counters corresponding with the respective plurality of event counters; and a trigger controller configured to trigger a push controller to push values of the plurality of event counters from the plurality of event counters to the respective plurality of read counters simultaneously.
  • Example 7 The traffic anomaly detector of Example 1, further comprising: a trigger controller configured to read the value of the event counter.
  • Example 8 The traffic anomaly detector of Example 7, wherein the trigger controller is further configured to notify a monitor when the value of the event counter exceeds a threshold.
  • Example 9 The traffic anomaly detector of Example 7, wherein the trigger controller is further configured to trigger a reset controller to reset the event counter.
  • Example 10 The traffic anomaly detector of Example 8, wherein the trigger controller is further configured to trigger the reset controller to reset the event counter based on time, software control, or if the value of the event counter exceeds a threshold.
  • Example 11 The traffic anomaly detector of Example 7, wherein the trigger controller comprises a timer, and the trigger controller is further configured to notify a monitor of the value of the event counter periodically.
  • Example 12 The traffic anomaly detector of Example 1, wherein one of the filters is configured to filter a type field or a format field such that only memory TLPs result in a trigger.
  • Example 13 The traffic anomaly detector of Example 1, wherein the respective filter criterion are selected from the group of fields consisting of type, address, length, and format.
  • Example 14 The traffic anomaly detector of claim 1 , wherein if a traffic anomaly is detected, the processor is further configured to initiate a countermeasure.
  • Example 15 A PCIe controller, comprising: the traffic anomaly detector of Example 1.
  • Example 16 A method of detecting a traffic anomaly in a Peripheral Component Interconnect express (PCIe) system, comprising: filtering, by filters, headers of PCIe transaction layer packets (TLPs) based on respective filter criterion; triggering, by a classifier, an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria; counting, by an event counter, a number of the events; and detecting, by a processor based on a value of the event counter, an anomaly in the PCIe TLP traffic.
  • PCIe Peripheral Component Interconnect express
  • Example 17 The method of Example 16, triggering, by the classifier, the event based a logical combination the plurality of filter criteria.
  • Example 18 The method of Example 16, further comprising: periodically notifying, by the trigger controller, a monitor of the value of the event counter.
  • Example 19 The method of Example 16, further comprising: reading, by a trigger controller, the value of the event counter; and notifying a monitor if the value of the event counter exceeds a threshold.
  • Example 20 The method of Example 16, further comprising: initiating, by the processor, a countermeasure if a traffic anomaly is detected.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A traffic anomaly detector of a Peripheral Component Interconnect express (PCIe) system, including filters configured to filter headers of PCIe transaction layer packets (TLPs) based on respective filter criterion; a classifier configured to trigger an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria; an event counter configured to count a number of the events; and a processor configured to detect, based on a value of the event counter, an anomaly in the PCIe TLP traffic.

Description

    BACKGROUND
  • Peripheral Component Interconnect express (PCIe) is a high-speed serial interface standard applied in personal computers, servers, and mobile devices. In a PCIe topology, many devices (endpoints) may be connected to a host (root complex) via a switch. The security of PCIe topology becomes a concern as many devices from different vendors, along with independent applications using PCIe, are integrated into a single system. In such integrated systems it is important to provide security between connected devices and software applications using these devices.
  • Attack methods vary among systems, requiring corresponding mechanisms to counter or avoid attacks. One approach is to continuously monitor traffic patterns and generate statistical information for assessing a current health of the PCIe network. Data rates of PCIe network are high, and thus software-only solutions may not meet performance and latency requirements.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates a schematic diagram of an example automotive Electronic Control Unit (ECU) in which aspects of the disclosure may be applied.
  • FIG. 2 illustrates a schematic diagram of a traffic anomaly detector of a Peripheral Component Interconnect express (PCIe) controller in accordance with aspects of the disclosure.
  • FIG. 3 illustrates an example of a memory write Transaction Layer Packet (TLP).
  • FIG. 4 illustrates a flowchart of a method of detecting a traffic anomaly in a PCIe network in accordance with aspects of the disclosure.
    •  DETAILED DESCRIPTION
  • The present disclosure is directed to detecting traffic properties and creating corresponding metadata for evaluation by software. Thereafter, a host may respond in order maintain Peripheral Component Interconnect express (PCIe) network security.
  • FIG. 1 illustrates a schematic diagram of an example automotive Electronic Control Unit (ECU) 100 in which aspects of the disclosure may be applied.
  • The ECU 100 includes two microcontrollers 110, 120 coupled together via printed circuit board (PCB) traces 130. Each microcontroller 110, 120 includes a microcontroller core 112, 122, Ethernet media access controllers (MACs) 112, 124, other interfaces 114.3, 124.3, and PCIe controllers 116, 126. Each of the PCIe controllers 116, 126 includes a physical layer (PHY) coupled to the PCB traces 130. Ethernet MACs 112, 124 and PCIe controllers 116, 126 differ in that Ethernet MACs provide streams to its data whereas PCIe controllers 116, 126 access internal resources directly. It is therefore important that PCIe controllers 116, 126 continuously monitor traffic to protect against cyberattacks, a feature missing from the PCIe specification.
  • FIG. 2 illustrates a schematic diagram of a traffic anomaly detector 200 of a Peripheral Component Interconnect express (PCIe) controller in accordance with aspects of the disclosure.
  • The traffic anomaly detector 200 comprises one or more filters 210, a classifier 220, one or more event counters 230, a push controller 240, one or more read counters 250, a reset controller 260, and a trigger controller 270.
  • Inbound transaction layer packets (TLPs) are processed by the PCIe controller 116, 126, which is shown in FIG. 1 . In parallel, the TLPs are monitored by the one or more filters 210 implemented to count TLPs that fulfill predefined filter criteria.
  • The filters 210 are configured to apply the respective filter criterion to fields within the TLP headers. At least one of the filters 210 may be configured to filter a type field or a format field such that only memory TLPs result in a trigger. The respective filter criterion may be selected from the group of fields consisting of type, address, length, and format. For example, a memory write packet (Fmt field) with (i.e., logical AND) an address range from 0x0 to 0xFFFF (Address field). Alternatively, the filters 210 may filter TLPs with a specific requester (i.e., requester ID). There may also be a filter 210 that checks a time interval between two inbound TLPs against a pre-defined limit to detect any loss of TLPs, or alternatively, or an undesirable increase.
  • The classifier 220 is configured to trigger an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria. For example, a filter 210 may count the inbound TLPs that are memory write TLPs and with addresses from 0x0000_0000 to 0x0000_FFFF. One filter 210 may check the format (Fmt) and the type fields. Another filter 210 may check the address field. Only when both filter criteria are fulfilled, the connected event counter 230 is incremented. The event counters 230 are configured to count a number of the events.
  • A processor is configured to detect, based on a value of the event counter 230, an anomaly in the PCIe TLP traffic. If a traffic anomaly is detected, the processor may be further configured to initiate a countermeasure.
  • The trigger controller 270 is configured to read the values of the event counters 230. The trigger controller 270 may notify a monitor when the value of one or more of the event counters 230 exceeds a respective threshold TH. The trigger controller 270 comprises a timer 272, and is further configured to notify a monitor of the value of the event counter periodically.
  • The trigger controller 270 is optionally configured to trigger the push controller 240 to push values of the plurality of event counters 230 from the plurality of event counters 230 to the respective plurality of read counters 250 simultaneously so that the read counters 250 store a snapshot of all event counters 230. Alternatively, the trigger controller 270 may be configured to trigger the push controller 240 to push values from the one or more event counters 230 to the respective of read counters 250 selectively. This push mechanism allows values to be saved in the read counters 250 while the event counters 230 continue to monitor the inbound TLPs. Application software can read the values from the read counters 250 while the event counters 230 continue counting. This push triggering may be based on time, software control, and/or when the value of the event counters 230 exceeds respective thresholds TH. For example, the push may be activated when there are more than 1,000 memory write TLPs with addresses ranging from 0x0000 0000 to 0x0000_FFFF.
  • The trigger controller 270 is further configured to trigger the reset controller 260 to reset the event counters 230. The trigger of the reset is similar to that of the push. These resets may occur simultaneously, or alternatively, selectively. The trigger controller 270 may be configured to trigger the reset controller 260 to reset the event counters 230 based on time, software control, or if the value of the event counter exceeds a threshold TH. It is possible to use the same criteria as used to push the values to the read counters 250 to reset the event counters 230. The push and reset action criteria are generally defined by software running on the microcontroller 110, 120. The triggering of the push and reset actions is performed by hardware.
  • FIG. 3 illustrates an example of a memory write TLP 300. The header is comprised of three 32-bit words 0-2. Each word has four bytes (8 bits). The first three words 0-2 include the header fields, and the fourth word 3 includes the data. The header may include fields such as format, TLP packet type, traffic class information, attributes, TLP digest, end point, data length, request identification, tag, and the like. The disclosure is not necessarily limited by the particular header fields.
  • FIG. 4 illustrates a flowchart 400 of a method of detecting a traffic anomaly in a PCIe network in accordance with aspects of the disclosure.
  • At Step 410, filters 210 filter headers of PCIe TLPs based on respective filter criterion.
  • At Step 420, a classifier 220 triggers an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria.
  • At Step 430, an event counter 230 counts a number of the events triggered by the classifier 220.
  • At Step 440, a processor detects, based on a value of the event counter 230, an anomaly in the PCIe TLP traffic. Based on the detected traffic anomaly, the processor may initiate a countermeasure. This countermeasure may include blocking some TLPs.
  • The techniques of this disclosure may also be described in the following examples.
  • Example 1. A traffic anomaly detector of a Peripheral Component Interconnect express (PCIe) system, comprising: filters configured to filter headers of PCIe transaction layer packets (TLPs) based on respective filter criterion; a classifier configured to trigger an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria; an event counter configured to count a number of the events; and a processor configured to detect, based on a value of the event counter, an anomaly in the PCIe TLP traffic.
  • Example 2. The traffic anomaly detector of Example 1, further comprising: a read counter; a push controller; and a trigger controller configured to trigger the push controller to push the value of the event counter from the event counter to the read counter.
  • Example 3. The traffic anomaly detector of Example 2, wherein the trigger controller is configured to trigger the push controller to push the value of the event counter from the event counter to the read counter based on time, software control, and/or when the value of the event counter exceeds a threshold.
  • Example 4. The traffic anomaly detector of Example 1, wherein the classifier is configured to trigger the event based a logical combination the plurality of filter criteria.
  • Example 5. The traffic anomaly detector of Example 1, wherein the classifier is configured to trigger a plurality of events, each of the events based on one of the filter criterion or a logical combination of a plurality of the filter criteria.
  • Example 6. The traffic anomaly detector of Example 5, further comprising: a plurality of event counters corresponding with the plurality of events; a plurality of read counters corresponding with the respective plurality of event counters; and a trigger controller configured to trigger a push controller to push values of the plurality of event counters from the plurality of event counters to the respective plurality of read counters simultaneously.
  • Example 7. The traffic anomaly detector of Example 1, further comprising: a trigger controller configured to read the value of the event counter.
  • Example 8. The traffic anomaly detector of Example 7, wherein the trigger controller is further configured to notify a monitor when the value of the event counter exceeds a threshold.
  • Example 9. The traffic anomaly detector of Example 7, wherein the trigger controller is further configured to trigger a reset controller to reset the event counter.
  • Example 10. The traffic anomaly detector of Example 8, wherein the trigger controller is further configured to trigger the reset controller to reset the event counter based on time, software control, or if the value of the event counter exceeds a threshold.
  • Example 11. The traffic anomaly detector of Example 7, wherein the trigger controller comprises a timer, and the trigger controller is further configured to notify a monitor of the value of the event counter periodically.
  • Example 12. The traffic anomaly detector of Example 1, wherein one of the filters is configured to filter a type field or a format field such that only memory TLPs result in a trigger.
  • Example 13. The traffic anomaly detector of Example 1, wherein the respective filter criterion are selected from the group of fields consisting of type, address, length, and format.
  • Example 14. The traffic anomaly detector of claim 1, wherein if a traffic anomaly is detected, the processor is further configured to initiate a countermeasure.
  • Example 15. A PCIe controller, comprising: the traffic anomaly detector of Example 1.
  • Example 16. A method of detecting a traffic anomaly in a Peripheral Component Interconnect express (PCIe) system, comprising: filtering, by filters, headers of PCIe transaction layer packets (TLPs) based on respective filter criterion; triggering, by a classifier, an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria; counting, by an event counter, a number of the events; and detecting, by a processor based on a value of the event counter, an anomaly in the PCIe TLP traffic.
  • Example 17. The method of Example 16, triggering, by the classifier, the event based a logical combination the plurality of filter criteria.
  • Example 18. The method of Example 16, further comprising: periodically notifying, by the trigger controller, a monitor of the value of the event counter.
  • Example 19. The method of Example 16, further comprising: reading, by a trigger controller, the value of the event counter; and notifying a monitor if the value of the event counter exceeds a threshold.
  • Example 20. The method of Example 16, further comprising: initiating, by the processor, a countermeasure if a traffic anomaly is detected.
  • While the foregoing has been described in conjunction with exemplary embodiment, it is understood that the term “exemplary” is merely meant as an example, rather than the best or optimal. Accordingly, the disclosure is intended to cover alternatives, modifications and equivalents, which may be included within the scope of the disclosure.
  • Although specific embodiments have been illustrated and described herein, it will be appreciated by those of ordinary skill in the art that a variety of alternate and/or equivalent implementations may be substituted for the specific embodiments shown and described without departing from the scope of the present disclosure. This disclosure is intended to cover any adaptations or variations of the specific embodiments discussed herein.

Claims (20)

What is claimed is:
1. A traffic anomaly detector of a Peripheral Component Interconnect express (PCIe) system, comprising:
filters configured to filter headers of PCIe transaction layer packets (TLPs) based on respective filter criterion;
a classifier configured to trigger an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria;
an event counter configured to count a number of the events; and
a processor configured to detect, based on a value of the event counter, an anomaly in the PCIe TLP traffic.
2. The traffic anomaly detector of claim 1, further comprising:
a read counter;
a push controller; and
a trigger controller configured to trigger the push controller to push the value of the event counter from the event counter to the read counter.
3. The traffic anomaly detector of claim 2, wherein the trigger controller is configured to trigger the push controller to push the value of the event counter from the event counter to the read counter based on time, software control, and/or when the value of the event counter exceeds a threshold.
4. The traffic anomaly detector of claim 1,
wherein the classifier is configured to trigger the event based a logical combination the plurality of filter criteria.
5. The traffic anomaly detector of claim 1,
wherein the classifier is configured to trigger a plurality of events, each of the events based on one of the filter criterion or a logical combination of a plurality of the filter criteria.
6. The traffic anomaly detector of claim 5, further comprising:
a plurality of event counters corresponding with the plurality of events;
a plurality of read counters corresponding with the respective plurality of event counters; and
a trigger controller configured to trigger a push controller to push values of the plurality of event counters from the plurality of event counters to the respective plurality of read counters simultaneously.
7. The traffic anomaly detector of claim 1, further comprising:
a trigger controller configured to read the value of the event counter.
8. The traffic anomaly detector of claim 7, wherein the trigger controller is further configured to notify a monitor when the value of the event counter exceeds a threshold.
9. The traffic anomaly detector of claim 7, wherein the trigger controller is further configured to trigger a reset controller to reset the event counter.
10. The traffic anomaly detector of claim 8, wherein the trigger controller is further configured to trigger the reset controller to reset the event counter based on time, software control, or if the value of the event counter exceeds a threshold.
11. The traffic anomaly detector of claim 7, wherein the trigger controller comprises a timer, and the trigger controller is further configured to notify a monitor of the value of the event counter periodically.
12. The traffic anomaly detector of claim 1, wherein one of the filters is configured to filter a type field or a format field such that only memory TLPs result in a trigger.
13. The traffic anomaly detector of claim 1, wherein the respective filter criterion are selected from the group of fields consisting of type, address, length, and format.
14. The traffic anomaly detector of claim 1, wherein if a traffic anomaly is detected, the processor is further configured to initiate a countermeasure.
15. A PCIe controller, comprising:
the traffic anomaly detector of claim 1.
16. A method of detecting a traffic anomaly in a Peripheral Component Interconnect express (PCIe) system, comprising:
filtering, by filters, headers of PCIe transaction layer packets (TLPs) based on respective filter criterion;
triggering, by a classifier, an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria;
counting, by an event counter, a number of the events; and
detecting, by a processor based on a value of the event counter, an anomaly in the PCIe TLP traffic.
17. The method of claim 16,
triggering, by the classifier, the event based a logical combination the plurality of filter criteria.
18. The method of claim 16, further comprising:
periodically notifying, by the trigger controller, a monitor of the value of the event counter.
19. The method of claim 16, further comprising:
reading, by a trigger controller, the value of the event counter; and
notifying a monitor if the value of the event counter exceeds a threshold.
20. The method of claim 16, further comprising:
initiating, by the processor, a countermeasure if a traffic anomaly is detected.
US17/408,942 2021-08-23 2021-08-23 Anamoly detection system for peripheral component interconnect express Pending US20230056018A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/408,942 US20230056018A1 (en) 2021-08-23 2021-08-23 Anamoly detection system for peripheral component interconnect express

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US17/408,942 US20230056018A1 (en) 2021-08-23 2021-08-23 Anamoly detection system for peripheral component interconnect express

Publications (1)

Publication Number Publication Date
US20230056018A1 true US20230056018A1 (en) 2023-02-23

Family

ID=85229229

Family Applications (1)

Application Number Title Priority Date Filing Date
US17/408,942 Pending US20230056018A1 (en) 2021-08-23 2021-08-23 Anamoly detection system for peripheral component interconnect express

Country Status (1)

Country Link
US (1) US20230056018A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070266179A1 (en) * 2006-05-11 2007-11-15 Emulex Communications Corporation Intelligent network processor and method of using intelligent network processor
US20090265784A1 (en) * 2005-11-08 2009-10-22 Tohoku University Network failure detection method and network failure detection system
US20140112131A1 (en) * 2011-06-17 2014-04-24 Hitachi, Ltd. Switch, computer system using same, and packet forwarding control method
US20210124692A1 (en) * 2017-12-19 2021-04-29 Western Digital Technologies, Inc. Direct host access to storage device memory space

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090265784A1 (en) * 2005-11-08 2009-10-22 Tohoku University Network failure detection method and network failure detection system
US20070266179A1 (en) * 2006-05-11 2007-11-15 Emulex Communications Corporation Intelligent network processor and method of using intelligent network processor
US20140112131A1 (en) * 2011-06-17 2014-04-24 Hitachi, Ltd. Switch, computer system using same, and packet forwarding control method
US20210124692A1 (en) * 2017-12-19 2021-04-29 Western Digital Technologies, Inc. Direct host access to storage device memory space

Similar Documents

Publication Publication Date Title
JP4077812B2 (en) Integrated circuit routers that support individual transmission rates
US7010639B2 (en) Inter integrated circuit bus router for preventing communication to an unauthorized port
US7082488B2 (en) System and method for presence detect and reset of a device coupled to an inter-integrated circuit router
US7543191B2 (en) Method and apparatus for isolating bus failure
US11316889B2 (en) Two-stage hash based logic for application layer distributed denial of service (DDoS) attack attribution
US7630304B2 (en) Method of overflow recovery of I2C packets on an I2C router
JP2012521042A (en) Web front end throttling
JP4294544B2 (en) Integrated circuit bus router for improved security
JP3920280B2 (en) Data transmission method through I2C router
WO2023160635A1 (en) Protection apparatus and method for image data processing module, and electronic device and medium
KR100628317B1 (en) Apparatus for detecting attacks toward network and method thereof
US20230056018A1 (en) Anamoly detection system for peripheral component interconnect express
CN114189390A (en) Domain name detection method, system, equipment and computer readable storage medium
US20040255193A1 (en) Inter integrated circuit router error management system and method
US11496394B2 (en) Internet of things (IoT) device identification on corporate networks via adaptive feature set to balance computational complexity and model bias
US11870693B2 (en) Kernel space based capture using intelligent packet selection paradigm and event output storage determination methodology
CN114301644A (en) Network anomaly detection system and method
US20040255195A1 (en) System and method for analysis of inter-integrated circuit router
US11425094B2 (en) Abnormal packet detection apparatus and method
CN113132298B (en) Method and system for realizing network intrusion detection on automobile gateway
CN117527529B (en) Ethernet data storage method and device capable of automatically recovering from normal state
JP2007150778A (en) Unauthorized access detection method, device, and program
CN114143089A (en) Message processing method and device, network equipment and computer readable storage medium

Legal Events

Date Code Title Description
AS Assignment

Owner name: INFINEON TECHNOLOGIES AG, GERMANY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LI, LIN;KUMAR, VARUN;ZWECK, HARALD;SIGNING DATES FROM 20210820 TO 20210823;REEL/FRAME:057256/0965

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS